FTC Can Regulate Customer Data Security, Court Rules

If personally identifiable data about your organization’s customers is lost to malicious outsiders as the result of a data breach, can the US Federal Trade Commission pursue you for unfair business practices?

Yes, said the Third Circuit Court of Appeals in Philadelphia, in a unanimous decision handed down yesterday.

The decision is being widely interpreted as a blanket grant to the FTC — yes, that’s the Trade Commission, not Communications — to treat cyber security as a business practice. If Internet service is a utility, as the FCC decided earlier this year, then it may not be too great a leap of logic to consider Internet security as a business practice.

The case in question concerns Wyndham Hotels, the nation’s No. 3 hotel chain behind Hilton and Marriott, and the licensor of the Days Inn, Wingate, Ramada, and Super 8 brands. Beginning in July 2008, a Wyndham franchisee was the victim of a cyber attack, affecting customer records kept by as many as 41 Wyndham properties.

'Established Public Policies'

Here’s where the case already gets sticky: It’s the franchisee that operates the equipment by which the Wyndham corporate database is accessed.

If that were the only attack, though, we wouldn’t be talking about it today. The same franchisee was attacked at least two more times, well into 2009.

This led to a situation, according to the FTC’s 2012 complaint against Wyndham, where guests were misinformed about the hotel’s security policy.

The hotel had reason to know it was not providing the adequate security that its stated policy appeared to be guaranteeing ... on that policy disclosure page that Wi-Fi users swiftly ignore before clicking on “Accept.”

“Here, Wyndham ignored multiple warning signs that its network had been compromised,” reads the FTC complaint, “and it failed to address repeated and obvious security lapses that left its computer networks vulnerable to intruders. As a result, hackers infiltrated Wyndham’s computer network and stole customer credit card information, which was used to make millions of dollars in fraudulent charges on the accounts of Wyndham’s customers.”

Wyndham challenged the FTC’s right to wage the complaint at all, filing a motion in US District Court in New Jersey to dismiss the case.

At issue there was the FTC’s right to define “unfair business practices” using whatever seems practical at the time.

US law defines the FTC’s rights to this definition by way of an exception.

The Commission cannot define anything as unfair, states 15 USC 45(n), “unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

What’s more, 15 USC continues, in weighing what’s fair and unfair for any given time, “the Commission may consider established public policies as evidence to be considered with all other evidence.”

“It’s clear that this definition is very open ended: ‘substantial injury’ meaning what? ‘Reasonably avoided’ how?” said Santalesa. “‘Countervailing benefits to consumers or competition’ of what type and nature?

“As a result, attorneys who deal with reviewing products and services that may be subject to FTC jurisdiction,” he continued, “apply a contextual analysis that attempts to understand each of the three tines: injury (potential); avoidance and, to a much lesser degree, what benefits may exist to the course of action/conduct.”

Is Negligence Unfair?

So here is the issue in a new light: Does the public’s expectation of data privacy and security extend to the methods an institution chooses in delivering them? Maybe the people’s right to privacy is a mandate.

But is it a public policy in itself, that an institution can violate by not implementing good enough preventative measures?

“Sometimes public policy will independently support a Commission action,” reads the FTC’s current Policy Statement on Unfairness. “This occurs when the policy is so clear that it will entirely determine the question of consumer injury, so there is little need for separate analysis by the Commission.”

What is “clear public policy” in a case like this, where the public only knows about as much as the FTC doles out in a press release?

On the other hand, does Wyndham’s having thrown in the towel on security altogether in 2008 border on what anyone in the public would consider fraud?

“Many states have ‘mini FTC’ acts that mirror the FTC’s language on this front,” said Santalesa, “even while states take a different approach as to what constitutes ‘unfairness.’”

Usually, business practices complaints from the FTC don’t get pushed this far.

As George Washington University Professor Daniel J. Solove and Samford University Professor Woodrow Hartzog wrote in 2013 for the Columbia Law Review, although statute gives the FTC the right to apply “common-law” principles in determining the value of privacy policies, the depths of some of these principles “have become so specific they resemble rules.”

“Common-law” in this case tends to mean the way judges can ascertain legal rules through a consistent application of judges’ decisions in past cases. It has evolved (with a little help from the FTC) to include legal settlements reached between the FTC and other defendants, that avoided judges altogether.

In other words, Congress has never had to legislate these matters because the FTC has been diligent enough to develop a code of best practices that most companies won’t challenge.

One reason why it’s rarely challenged, the professors wrote, is because companies may find it less expensive to settle with the Commission, even though penalties for those who don’t settle have been as low as $1,000.

“Since settlement agreements do not concede liability, companies are able to move forward without having to admit wrongdoing,” they wrote. “Companies may be motivated to avoid the reputational costs of apologizing.”

'Common-Law'

But Wyndham came to the decision that it had a reputation to salvage, especially after news of its franchisee’s failure to stop the subsequent 2009 attacks made the press. Wyndham became “the first notable player to have pushed back in challenging the FTC’s scope of authority,” noted Santalesa.

Wyndham’s argument was that, no matter how in-depth its “common-law” principles may have become, the documents that introduce those principles — one of which was merely a consent decree — do not constitute rulemaking.

What’s more, as Profs. Solove and Hartzog pointed out, “the FTC has virtually unrestrained discretion to define the ‘access and scope of the consent order process.’” That free reign, they argued, is a good thing in the end, because it enables public policy on privacy and cyber security to evolve naturally, rather than get mired in the legislative process.

Leaving the FTC unharnessed in this way, argued Wyndham Hotels in its appeal to the Third Circuit, would be the same as granting the Commission the right to “regulate the locks on hotel room doors,” “to require every store in the land to post an armed guard at the door,” and to file complaints against every supermarket “sloppy about sweeping up banana peels.”

Writing for the Third Circuit in affirming the District Court, Judge Thomas Ambro wrote, “The argument is alarmist to say the least. And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”

Put another way, the Court appears to be saying that any data breach this severe violates public policy, regardless of the device used to record that policy. If that’s the case, there probably won’t be many more cases like Wyndham for some time to come.